If Cilium is allowing / denying connections in a way that is not aligned with the
intent of your Cilium Network policy, there is an easy way to
verify if and what policy rules apply between two
endpoints. We can use the ciliumpolicytrace to simulate a policy decision
between the source and destination endpoints.

An L3/L4 policy is enforced on the deathstar service to allow access to all spaceships with labels org=empire. With this policy, the tiefighter access is allowed but xwing access will be denied. Let’s use the ciliumpolicytrace to simulate the policy decision. The command provides flexibility to run using pod names, labels or Cilium security identities.

Note

If the --dport option is not specified, then L4 policy will not be
consulted in this policy trace command.

To determine which policy rules are currently in effect for an endpoint the
data from ciliumendpointlist and ciliumendpointget can be paired
with the data from ciliumpolicyget. ciliumendpointget will list the
labels of each rule that applies to an endpoint. The list of labels can be
passed to ciliumpolicyget to show that exact source policy. Note that
rules that have no labels cannot be fetched alone (a no label cililumpolicyget returns the complete policy on the node). Rules with the same labels will
be returned together.

In the above example, for one of the deathstar pods the endpoint id is 568. We can print all policies applied to it with: